- From: Ian Melven <imelven@mozilla.com>
- Date: Mon, 31 Dec 2012 16:09:39 -0800 (PST)
- To: Yoav Weiss <yoav@yoav.ws>
- Cc: public-webappsec@w3.org, Mike West <mkwst@google.com>
Hi Yoav, ----- Original Message ----- From: "Yoav Weiss" <yoav@yoav.ws> To: "Mike West" <mkwst@google.com> Cc: public-webappsec@w3.org Sent: Sunday, December 30, 2012 3:01:48 PM Subject: Re: CSP and inline styles > A different random thought - correct me if I'm wrong but there are 3 main dangers from injected styles: > * "javascript:" scheme URL or equivalent "data:" URIs > * "expression()" - Not sure it is still relevant past IE8 > * Defacing we discussed this a little while ago and other threats were mentioned : * using CSS selectors to steal passwords (http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0052.html) * phone home/exfiltration attacks these can be blocked by using appropriate img-src and font-src directives (falling back to (what is hopefully) a strict default-src) I think there's at least some level of consensus that preventing defacement is not a goal for CSP. thanks, ian
Received on Tuesday, 1 January 2013 00:10:07 UTC